RSA2015: Securing the Internet of Things

SESSION ID:

#RSAC

ASD-T10

Security Research

HP Fortify on Demand

@danielmiessler

Daniel Miessler

Securing the Internet of Things: Mapping Attack Surface Areas Using the OWASP IoT Top 10

#RSAC

2

HP Fortify on Demand

Security Research & Development

Penetration Testing

OWASP Project Leader (IoT, Mobile)

#RSAC

The Plan

3

Let’s Talk About Naming

A Vision of the Future (Universal Daemonization)

Why IoT is Currently Broken

Examples From Research

The OWASP IoT Project

Applying What We’ve Learned

One more thing…

#RSAC

What does it mean?

4

#RSAC

What does it mean?

5

[ WIKIPEDIA ] The Internet of Things (IoT)

is the network of physical objects or "things"

embedded with electronics, software,

sensors and connectivity to enable it to

achieve greater value and service by

exchanging data with the manufacturer,

operator and/or other connected devices.

[ OXFORD ] A proposed development of

the Internet in which everyday objects have

network connectivity, allowing them to send

and receive data.

#RSAC

Better Names

6

Universal Daemonization

Universal Object Interaction

Programmable Object Interfaces (POIs)

Transfurigated Phase Inversion

#RSAC

The Real Internet of Things

7

#RSAC

The Real Internet of Things

8

#RSAC

Universal Daemonization

9

#RSAC

The Current IoT Security Problem

10

#RSAC

The Current IoT Security Problem

11

network services, encryption, firewall, input…

#RSAC

The Current IoT Security Problem

12

network

application authN, authZ, input validation, etc.

#RSAC

The Current IoT Security Problem

13

network

application

mobile insecure APIs, lack of encryption, etc.

#RSAC

The Current IoT Security Problem

14

network

application

mobile

cloud yadda yadda AuthSessionAccess

#RSAC

IoT Security is the Worst-of-All-Worlds

15

network

application

mobile

cloud

IoT net + app + mobile + cloud = IoT

yadda yadda AuthSessionAccess

insecure APIs, lack of encryption, etc.

authN, authZ, input validation, etc.

services, encryption, firewall, input…

#RSAC

The Current IoT Security Problem

16

network

application

mobile

cloud

IoT

1 + 1 = 5

#RSAC

IoT Security Fail Examples

17

network

application

mobile

cloud

IoT

#RSAC

IoT Security Fail Examples (Authentication)

18

network

application

mobile

cloud

IoT

10/10 security systems accept ‘123456’

Account enumeration

Lack of account lockout

#RSAC

IoT Security Fail Examples (Update Systems)

19

network

application

mobile

cloud

IoT No signing of updates

Download over FTP

Server was world-writeable

Server held ALL products

#RSAC

IoT Security Fail Examples

20

network

application

mobile

cloud

IoT

10/10 security systems accept ‘123456’

10/10 security systems with no lockout

10/10 security systems with enumeration

SSH listeners with root/“” access

6/10 web interfaces with XSS/SQLi

70% of devices not using encryption

8/10 collected personal information

9/10 had no two-factor options

Unauthenticated video streaming

Completely flawed software update systems

#RSAC

The Need for a Methodology

21

network

application

mobile

cloud

IoT

#RSAC

Mapping IoT Attack Surface Areas

22

#RSAC

OWASP IoT: I1 — Insecure Web Interface

23

#RSAC

OWASP IoT: I1 — Insecure Web Interface

24

#RSAC

OWASP IoT: I2 — Insecure Network Services

25

#RSAC

OWASP IoT: I3 — Lack of Transport Encryption

26

#RSAC

OWASP IoT: I5 — Privacy Concerns

27

#RSAC

OWASP IoT: I6 — Insecure Cloud Interface

28

#RSAC

OWASP IoT: I7 — Insecure Mobile Interface

29

#RSAC

OWASP IoT: I8 — Insufficient Security Configurability

30

#RSAC

OWASP IoT: I9 — Insecure Software/Firmware

31

#RSAC

OWASP IoT: I10 — Poor Physical Security

32

#RSAC

OWASP IoT Project Goals

33

1. Understand the main attack surface

areas for any IoT device or ecosystem

#RSAC

OWASP IoT Project Goals

34

1. Understand the main attack surface areas

for any IoT device or ecosystem

2. As a tester, be able to hit the major

issues for each surface area for the

product you’re testing

#RSAC

OWASP IoT Project Goals

35

1. Understand the main attack surface areas

for any IoT device or ecosystem

2. As a tester, be able to hit the major issues

for each surface area for the product

you’re testing

3. As a manufacturer, be able to ensure

that you’ve done your due diligence in

security across the main surface areas

#RSAC

OWASP IoT Project Goals

36

1. Understand the main attack surface areas

for any IoT device or ecosystem

2. As a tester, be able to hit the major issues

for each surface area for the product

you’re testing

3. As a manufacturer, be able to ensure that

you’ve done your due diligence in security

across the main surface areas

4. As a developer, be able to ensure that

you’re avoiding the top security issues

while building your particular component

#RSAC

OWASP IoT Project Goals

37

1. Understand the main attack surface areas

for any IoT device or ecosystem

2. As a tester, be able to hit the major issues

for each surface area for the product

you’re testing

3. As a manufacturer, be able to ensure that

you’ve done your due diligence in security

across the main surface areas

4. As a developer, be able to ensure that

you’re avoiding the top security issues

while building your particular component

5. As a consumer, ensure you’re using the

technology safely

#RSAC

OWASP IoT Project Goals

38

1. Understand the main attack surface areas

for any IoT device or ecosystem

2. As a tester, be able to hit the major issues

for each surface area for the product you’re

testing

3. As a manufacturer, be able to ensure that

you’ve done your due diligence in security

across the main surface areas

4. As a developer, be able to ensure that

you’re avoiding the top security issues while

building your particular component

5. As a consumer, ensure you’re using the

technology safely

#RSAC

OWASP IoT Project Organization

39

#RSAC

OWASP IoT Project (Context-based Recommendations)

40

#RSAC

OWASP IoT Project (Consumer Recommendations)

41

#RSAC

OWASP IoT Project (FAQ)

42

1. If IoT is just a collection of other

technologies, why not just use existing

OWASP projects?

#RSAC

OWASP IoT Project (FAQ)

43

1. If IoT is just a collection of other

technologies, why not just use existing

OWASP projects? (one place, multiple

spaces)

2. Why call it a Top 10 List, which is

traditionally a list of vulnerabilities?

#RSAC

OWASP IoT Project (FAQ)

44

1. If IoT is just a collection of other

technologies, why not just use existing

OWASP projects? (one place, multiple

spaces)

2. Why call it a Top 10 List, which is

traditionally a list of vulnerabilities?

(tradition, approachability)

3. Why not have X category, or Y category,

or you should move I7 to I2, etc.

#RSAC

OWASP IoT Project (FAQ)

45

1. If IoT is just a collection of other

technologies, why not just use existing

OWASP projects? (one place, multiple

spaces)

2. Why call it a Top 10 List, which is

traditionally a list of vulnerabilities?

(tradition, approachability)

3. Why not have X category, or Y category,

or you should move I7 to I2, etc.

(excellent, come help)

https://lists.owasp.org/mailman/listinfo/owasp_internet_of_things_top_ten_project

#RSAC

How to Apply This

46

Concept Application

#RSAC

How to Apply This

47

The Internet of Things is not just about sensors and machines. It’s about people,

and how they will continuously interact with their environments through their

personal assistants and Universal Daemonization.

Concept Application

#RSAC

How to Apply This

48

The Internet of Things is not just about sensors and machines. It’s about people,

and how they will continuously interact with their environments through their

personal assistants and Universal Daemonization.

You now know the future before others do, and

can use that knowledge to inform better

decisions.

Concept Application

#RSAC

How to Apply This

49

The Internet of Things is not just about sensors and machines. It’s about people,

and how they will continuously interact with their environments through their

personal assistants and Universal Daemonization.

You now know the future before others do, and

can and use that knowledge to inform better

decisions.

IoT Security is broken for three reasons: it’s worst-of-all-worlds scenario, nobody

is paid to secure IoT, and 1+1=5 when it comes to security and complexity.

Concept Application

#RSAC

How to Apply This

50

The Internet of Things is not just about sensors and machines. It’s about people,

and how they will continuously interact with their environments through their

personal assistants and Universal Daemonization.

You now know the future before others do, and

can use that knowledge to inform better

decisions.

IoT Security is broken for three reasons: it’s worst-of-all-worlds scenario, nobody

is paid to secure IoT, and 1+1=5 when it comes to security and complexity.

You can now identify the common causes for

the mistakes, and look out for them in projects

you consult on.

Concept Application

#RSAC

How to Apply This

51

The Internet of Things is not just about sensors and machines. It’s about people,

and how they will continuously interact with their environments through their

personal assistants and Universal Daemonization.

Know the future before others do, and use that

knowledge to inform better decisions.

IoT Security is broken for three reasons: it’s worst-of-all-worlds scenario, nobody

is paid to secure IoT, and 1+1=5 when it comes to security and complexity.

You can now identify the common causes for

the mistakes, and look out for them in projects

you consult on.

The OWASP IoT Top 10 Project maps IoT attack surface areas and gives

contextual and prescriptive guidance on how to avoid vulnerabilities within each.

Concept Application

#RSAC

How to Apply This

52

The Internet of Things is not just about sensors and machines. It’s about people,

and how they will continuously interact with their environments through their

personal assistants and Universal Daemonization.

Know the future before others do, and use that

knowledge to inform better decisions.

IoT Security is broken for three reasons: it’s worst-of-all-worlds scenario, nobody

is paid to secure IoT, and 1+1=5 when it comes to security and complexity.

You can now identify the common causes for

the mistakes, and look out for them in projects

you consult on.

The OWASP IoT Top 10 Project maps IoT attack surface areas and gives

contextual and prescriptive guidance on how to avoid vulnerabilities within each.

You can now use the OWASP IoT Project as a

tangible guide to securing the IoT systems you

work with.

Concept Application

#RSAC

Other IoT Resources

Build It Securely Project (connects SMBs with researchers)

Mark Stanislav and Zach Lanier

I am the Cavalry (focuses on automotive IoT security)

Josh Corman

IoT Firmware Testing Training

Paul Asadoorian (BlackHat)

53

#RSAC

Just One More Thing…

OWASP IoT Top 10 Mini-poster !

Card stock

Two-sided

Covers Top 10 Surface Areas

Available for download as well

54